In November 2025, the Department of War (DoW) issued one of the most consequential cybersecurity directives of the decade: 105 specific activities and capability outcomes for implementing Zero Trust (ZT) across operational technology (OT). Then in January 2026, the NSA followed with its own phased Zero Trust Implementation Guidelines (ZIGs), covering 91 discrete activities to bring organizations to target-level ZT maturity. Together, these documents send a clear message: Zero Trust is no longer a data center problem. It’s a power grid problem. A water treatment problem. A weapons support system problem. And federal leaders who treat this as another IT lifecycle upgrade are about to make a very expensive mistake.
Why IT Security Models Fail in OT Environments
The reflex across most federal agencies and their contractors, when a new cybersecurity mandate lands, is to look at the existing architecture and figure out how to map controls onto it. For IT systems, that approach works well enough. You identify your assets, layer in identity controls, segment the network, and incrementally close gaps. But OT systems were never designed with that model in mind. They were designed for reliability, determinism, and longevity. A programmable logic controller running an HVAC system on a military installation was not built to handle continuous authentication. A SCADA system managing fuel distribution at a depot was not designed with microsegmentation in mind. The DoW’s own November 2025 guidance explicitly acknowledged this: applying standard IT security approaches to OT environments can be ineffective and potentially dangerous. That sentence should be read as a warning to every program manager who has ever asked an IT integrator to extend ZT to OT.
This is a Mission-Engineering Problem, Not a Network Problem
The typical response is to install sensors, add a monitoring layer, and declare partial compliance. That is not Zero Trust. That is Zero Trust theater. And theater will not hold up when DoW inspectors start measuring against the 84 target-level capability outcomes that DTM 25-003 now mandates for all DoW components, across all unclassified and classified systems.
The right frame for OT Zero Trust is not network security. It is mission engineering. The DoW’s ZT for OT framework is organized around seven pillars: users, devices, applications and workloads, data, networks and environments, automation and orchestration, and visibility and analytics. Notice that “networks” sits in the middle of that list, not at the top. That is intentional. The center of gravity in OT Zero Trust is the DAAS: Data, Applications, Assets, and Services. The question is not “how do I segment this OT network?” It is “what data does this control system produce, what decisions does it inform, who or what is authorized to act on it, and how do I validate that continuously?”
This distinction matters enormously in practice. When you start from the DAAS outward, you discover that most OT environments have never done a rigorous data classification exercise. They have no asset inventory that includes firmware versions and communication dependencies. Their “authorized users” include legacy service accounts that have not been audited in years. Their third-party maintenance contracts give vendors remote access with no behavioral monitoring attached. Starting from the DAAS exposes all of that. Starting from the network hides it beneath a firewall rule that gives everyone a false sense of security.
Where Federal Leaders Should Act First
For federal CISOs and program managers, the first action is not technical. It is contractual. Most OT systems in federal environments are owned by mission offices, sustained by contractors, and governed under acquisition frameworks that predate any Zero Trust requirement. DTM 25-003 and the accompanying OT ZT Activities and Outcomes document are now sufficient legal and policy grounds to reopen performance work statements and require contractors to demonstrate capability outcomes, not just describe control implementations. If your current OT sustainment contract does not include ZT capability outcomes as deliverables, it does not reflect current policy.
The second action is visibility. You cannot enforce Zero Trust on systems you cannot see. The NSA’s phased ZIGs start with a Discovery phase for a reason: asset inventory and data flow mapping are prerequisites, not optional. Agencies that skip straight to enforcement will create incidents, not prevent them. Invest in passive monitoring tools that can characterize OT traffic without disrupting operational continuity. Understand what normal looks like before you start enforcing what abnormal means. Once you have that visibility baseline, the rest of the ZT capability framework becomes actionable rather than theoretical.
Third, do not treat this as a one-time compliance project. The NSA ZIGs are explicitly phased and modular. Target-level maturity covers 91 activities; advanced-level maturity adds 61 more. This is a multi-year program that should be embedded in your capital planning and ATO renewal cycles, not managed as a standalone initiative with a sunset date.
Checklist vs. Doctrine
The DoW just told you that your OT environment is in scope, defined what compliance looks like across 105 measurable activities, and handed you a phased implementation roadmap. The only remaining question is whether you treat this as a checklist or a doctrine. Doctrine wins. Checklists expire.
Understand Your OT Zero Trust Readiness
Identify where your OT architecture falls short of Zero Trust requirements.
